Persistent Data-only Malware: Function Hooks without Code

As protection mechanisms become increasingly advanced, so too does the malware that seeks to circumvent them. Protection mechanisms such as secure boot, stack protection, heap protection, W X , and address space layout randomization have raised the bar for system security. In turn, attack mechanisms have become increasingly sophisticated. Starting with simple instruction pointer manipulation aimed at executing shellcode on the stack, we are now seeing sophisticated attacks that combine complex heap exploitation with techniques such as return-oriented programming (ROP). ROP belongs to a family of exploitation techniques called data-only exploitation. This class of exploitation and the malware that is built around it makes use solely of data to manipulate the control flow of software without introducing any code. This advanced form of exploitation circumvents many of the modern protection mechanisms presented above, however it has had, until now, one limitation. Due to the fact that it introduces no code, it is very difficult to achieve any sort of persistence. Placing a function hook is straightforward, but where should this hook point to if the malware introduces no code? There are many challenges that must first be overcome if one wishes to answer this question. In this paper, we present the first persistent data-only malware proof of concept in the form of a persistent rootkit. We also present several methods by which one can achieve persistence beyond our proof of concept.